tags:

views:

51

answers:

2
+2  Q: 

Php mysql, variable help query help

I have this mysql query:

UPDATE `table`.`wp_12_postmeta` 
   SET `meta_value` = 'yyy' 
 WHERE `wp_12_postmeta`.`meta_id` =5 
 LIMIT 1 ;

How do i incorporate this:

  • instead of wp_12_ i want a variable $prefix (variable holds wp_4_, wp_3_, etc)
  • instead of yyy i want a value $perf (variable is a name )
  • instead of 5 i want a value $meta_id (variable is a nr)

Thank u!

P.S.

here is what i use and it works:

$wpdb->query("UPDATE ".$prefix."postmeta SET meta_value = '".$perf."' WHERE meta_id = '".$meta_id."' LIMIT 1 ");

Problem is, when i execute this query, severl post meta fields are updated, instead of just one. Ty

+1  A: 

Here's how I would write this with PDO:

$prefix = "wp_4_";
$sql = "UPDATE `table`.`{$prefix}postmeta` SET `meta_value` = ? 
  WHERE `{$prefix}postmeta`.`meta_id` = ? LIMIT 1";

$stmt = $pdo->prepare($sql);
$stmt->execute(array($perf, $meta_id));
Bill Karwin  2010-09-01 02:15:53
Shouldn't you escape the $prefix?
Codeacula  2010-09-01 02:22:47
@Codeacula: The $prefix is a string I have hard-coded in the above example. It doesn't come from an untrusted source. Besides, what function would you suggest I use that would escape a back-tick? Certainly mysql_real_escape_string() doesn't do that.
Bill Karwin  2010-09-01 02:26:04
You have it hardcoded, yes, but I'd be willing to bet the OP would use the code as-is, and that $prefix would likely end up getting changed by who knows what source. And perhaps it's paranoia that causes me to want to sanitize every single variable that comes from user input. To each their own, I guess.
Codeacula  2010-09-01 02:33:49
@Codeacula: I do support defensive programming and being mindful of SQL injection risks. See http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies What would you suggest is the best remedy in this case?
Bill Karwin  2010-09-01 03:12:21
Go with the remedy you provided at the end, I guess. And, if you don't mind, I'm going to share your report.
Codeacula  2010-09-01 03:18:25
@Codeacula: Yes, be my guest! Also, I'll be presenting that talk at ZendCon in Santa Clara in November 2010.
Bill Karwin  2010-09-01 04:44:34
+2  A: 

Use:

$query = sprintf("UPDATE `table`.`%s` 
                    SET `meta_value` = '%s' 
                  WHERE `%s`.`meta_id` = %d 
                   LIMIT 1 ",
                 mysql_real_escape_string($prefix),
                 mysql_real_escape_string($perf),
                 mysql_real_escape_string($prefix),
                 mysql_real_escape_string($meta_id));
OMG Ponies  2010-09-01 02:16:36
You forgot the wp_12_ in the WHERE, also.
Codeacula  2010-09-01 02:19:03
@Codeacula: Thx, corrected
OMG Ponies  2010-09-01 02:19:34
+1 because I always love sprintf over the usual concatenation for queries. Especially manageable when you're writing a headache of a query.
Codeacula  2010-09-01 02:21:10
mysql_real_escape_string() is not the right solution for table or column identifiers. If for no other reason than it does not escape the back-tick: `
Bill Karwin  2010-09-01 02:23:02
@Bill, I think the back ticks should be included around the `%s`
Peter Ajtai  2010-09-01 02:35:11
@Peter Ajtai: I agree, but like Bill says--mysql_real_escape_string won't escape a lone bactick
OMG Ponies  2010-09-01 02:51:59

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL